TNW Sites

Craigslist hack knocks web classified site offline: Who’s behind it?

The venerable web classifieds site, Craigslist, was knocked offline last night and is still not loading for some visitors. Local versions are redirecting for others. Users visiting the site yesterday evening were redirected to a site called Digital Gangster as a result of what looks like a DNS hijack.

Presumably unable to cope with the huge amount of traffic Craigslist itself receives, the Digital Gangster website itself is now inaccessible. The Digital Gangster forum was the source of a well-publicised Twitter hack in 2009 and the theft of Miley Cyrus photos from her Gmail account in 2008.

Craigslist’s domain record was modified yesterday, with the new domain name registrant listed as “steven wynhoff @LulzClerk”. @LulzClerk is a suspended account Twitter. Steven Wynhoff, meanwhile, does have a live Twitter account but it hasn’t tweeted since 2013.

Given that there are a number of postings online purporting to “dox” Wynhoff i.e. expose his personal information, it seems fairly likely that he’s not the person behind the Nakamoto incident or the attack on Craigslist. You’d have to be phenomenally stupid to use your real name in an attack on a hugely popular website.

While Craigslist’s domain record has now been restored to its rightful owners, the site remains offline. If the issue is a simply DNS attack, it could take several hours for it to come back online as the settings propagate across global servers. That explains why the site appears to be slowly getting back to normal.

DNS attacks are generally not complex and rarely involve breaches of customer data. Instead, hackers use phishing and other social engineering attempts to get access to the accounts that control the domain name.

We’ve contacted Cragslist and will update this post with more information when we get it.

Update: Craigslist’s CEO, Jim Buckmaster, has published a blog post confirming that there was a DNS attack on the site. He says:

“At approximately 5pm PST Sunday evening the craigslist domain name service (DNS) records maintained at one of our domain registrars were compromised, diverting users to various non-craigslist sites.

This issue has been corrected at the source, but many internet service providers (ISPs) cached the false DNS information for several hours, and some may still have incorrect information.

If you are unable to reach the craigslist site, please ask your network provider or tech staff to flush all *.craigslist.org and *.craigslist.com entries (A,CNAME,SOA) from their DNS servers.”